Microsoft just broke my XBox One

I had something similair when I wanted to suspend my xboxlive subscription a few months back. I used sms-confirmation, but for some reason, even though the number was correct, I didn’t get a confirmation-sms. So I changed it to email, after which I recieved a message I had to wait 30 days. Which was also 30 days before my xboxlive would renew, basically meaning I would not be able to cancel it…

Luckely for me costumer services could cancel the subscription for me in time, so it turned out alright in the end. But I find it ridiculous that their continues extra safety precautions cause this much trouble.

As for the OP: I believe the only way out of the 30 days wait is to get the original emailaccount working again, somehow. If you can get that working again, then you can still acces your account that way. But if you could, you probably would have done so already, so this is advise is probably useless. Sorry…

Unless this 30 day lockout is in the terms and agreements in some manner then its illegal. So its probably there, hidden amongst the pages and pages of crap nobody reads. Probably written as some sort of “you don’t actually own anything, in reality we can do whatever we want, whenever we want and however we want”.

Tom, no, they did not warn me beforehand. In fact at one point I asked “Can we just back out of the whole thing?” and was told no, I’m stuck. I even said "well what if I say “no, I didn’t request this” and we treat it as fraud and need to recover? Same answer.

They screwed me, plain and simple.

My wife is pretty upset. Apparently she got a controller and a game she wanted us both to play on Christmas morning. Now we have to return everyhing and she has to think of a new gift and go buy it.

I want to return this thing, but they have me over a barrel. I return it I lose hundred of dollars worth of games I’ve purchased digitally. Assholes. The stupid and were thing is, I can still play my 360 with my same account no problem. I can purchase things no problem. They will take my money, they just won’t let me use my own Xbox One. It’s a brick.

Yeah, you definitely should escalate the issue if they didn’t make it clear to you that you were going to be locked out of the Xbox for 30 days. That’s some serious incompetence there.


ElGuapo, I’m sorry to hear that. :(

It’s not illegal for Microsoft to have a security system and a quarantine period for account recovery, even if they implement it poorly. The terms of service likely have a lot of liability denial clauses that would let them off the hook and possibly a requirement for arbitration proceedings as first resort before courts or similar CYA clauses. Most of those don’t even get off the ground over here in Europe, but in the US it’s a different story.

The recovery procedures and options have been implemented and Microsoft’s security tightened with the integration of Microsoft accounts to Windows 8, Windows phones and all of their other services, where identity theft and similar issues can arise. There is a way to do account recovery that does not lock you out for 30 days, but it requires that your MS account is chained to something else that you can use yourself to do the recovery, change passwords etc. If you can, then there is no delay.

I run into these problems regularly at work, where I get calls from people who registered a Microsoft account for something. never wrote down their password, never provided a phone number or alternate email (or mistyped the alternate and didn’t check) and then they start whining at me because I can’t fix their shit immediately (I work for a third party tech support organization, not Microsoft).

I have chained all of my Microsoft accounts to other, non-Microsoft accounts, and most of those are chained back to my ISP provided emails, so that if things go tits up, I can just use the ISP account control self services to reset those (if it ever became necessary) and reset each link in the chain from there, without ever once needing to call any customer service.

Microsoft also has a smartphone app named Microsoft Account, which can be used to receive the reset codes without hassle.

It is worth it to spend ten minutes setting up the various recovery chains and the two-step authentications for each account, so that if it runs into this problem, you can fix it immediately. MS has set up these procedures precisely to enable users to do things on their own, but their phone customer service has no way of absolutely, positively verifying a caller’s identity, so they probably enforce the 30 day quarantine to shield themselves from legal liability (in case somebody’s account were accidentally handed over to an outsider).

I work with customers’ personal data every day, and identity theft and billing concerns are an everyday occurrence, and we’re legally required to be just as anal about it all. There may be some leeway in some cases, but that more or less requires three or four different things to match at the same time. Microsoft, being a multinational corporation of the size it is, cannot allow any leeway in these things because doing so opens it up to far too many and varied legal liabilities that significantly outweigh any possible benefits to them.

Those guys probably want to help, but their hands are tied and they can’t do anything about it. They probably can’t even say they wish they could help, in order to avoid contact escalation.

This I can fully agree with. Having had to deal with escalated contacts where someone did not tell the customer all the relevant information, I know exactly how sucky it can all be.

I don’t know what sort of escalation procedures MS has, or if they have any procedures in place for this sort of exception cases.

Geez, just wait 30 days, it’s not the end of the world. Yeah it sucks, but still . . .

Where did he say it was the end of the world?


Yes it sucks. Security sucks in general, be it online or in an airport. Its part of life. Either make a stand and dump the xbox or wait it out. First world problems, FTW.

Ok, couple of things.

  1. I can validate with two step,authentication all day. They have my email and phone number on file. When they sent out the code to verify my identity, I did it three times with the guy on the phone. Twice on my phone and once on my email. It’s not a verification or identity issue. My identity is certain and validated.

  2. I know, first world problems, etc. That is, no offense, a stupid thing to say. You’re on a videogames board. If you feel that strongly, go ahead and give all your videogames away to a third world family, tough guy. No? I didn’t think so. This is a consumer complaint story, sorry of it offends your sensibilities. You’ve never looked forward to playing a game over a holiday break?

With Blizzard (and I think most 2FA methods I’ve used), there’s a key in the app you can record somewhere so that you can restore to a second phone if need be. I know I’ve used it before when I got a new phone to transfer the app.

As for the issue here, I really do sympathize, but Microsoft is in a bad spot here. If someone had called them and claimed to be the account holder, and they just let them transfer it without some sort of means to verify, then we’d be talking about how someone was able to steal the account easily. It’s disappointing for sure that the account is locked for the 30 days, but I’m not sure what else they can do here. It’s really surprising (but I guess it shouldn’t be) that the system is locked up completely because of this though.

And I’d agree with mouselock. I would never recommend to anyone using an email address tied to something I didn’t control 100% or an ISP. Either having a personal domain or something like GMail or Live (which should always be around) is the way to go.

Should they lock the account for purchases? Ok, maybe. I can’t play ANY game. I can’t watch movies. I can’t play single player. I can’t even turn it on. That’s reasonable?

My problem was that I owned two domains but the cost of using both was too much. So I let one go thinking I had switched everything over. My kids forgot to change the email address from my old domain to one of their email addresses on the family X-live account.

What I do not understand is that I had a secondary email address attached to the account but Microsoft told me that it was never verified? Really? I always hit the links after adding a new email address when they send one. That was the whole point of having a secondary backup for verification. Somewhere along the line it was messed up.

I am going to figure out where that backup key is for my authentication apps. Good to know.

So, this confirms then, as I supposed, that MS has no exception procedures on file for something like this. At my workplace, if you’ve forgotten everything, basically you either have to use online banking to validate yourself (we have a nationwide authentication system the banks use) or you show up at a store with ID, else you stay locked out of your stuff. We can wing it on the phone, if we can verify sufficiently, which means if we have the person’s phone number on file AND they call from that number AND they can recite the correct address AND social security number AND if we then feel we have sufficiently confirmed they are who they say they are. Usually the problem is email passwords, so if I can remote into their machine and see that they’ve been receiving the emails for that inbox for the past several months or years and everything else checks out, then I’ll reset the password and fix it.

There is no way Microsoft could give this much leeway to their employees without getting their pants sued off in some part of the world, and apparently they don’t give access to an emergency reactivation switch to just anyone, assuming they have even implemented one. Or if they have, it’s quite possible they haven’t implemented proper procedures yet or sufficiently trained their staff.

I assume you’ve called back and talked with other support personnel? Having dealt with CS on numerous occasions for job related issues you learn over the years that sometimes it’s just a matter of getting the right person on the phone.

Poor service, sure. But it seems this sort of poor service is tightly tied to the profit/loss calculations companies make about their online services. Screw over some folks? Fine, as long as you avoid larger costs in the long run.

The answer to this is: use a password manager.

So something must have processed because it just fixed itself. Hmm. Cautiously optimistic until I hear from them. Now I’m paranoid that within this 30 day period it will prompt me again. Maybe I’ll log in through the website and see if I have any messages.

Sweet. I hope that’s permanent.

No, that’s not really the lesson at all. I mean, really really not. “Everyone should just have their own domain for their entire life” is a ridiculous idea in any context, but particularly in this case.